You think you know what is connected to your home network? You might be surprised. Learn how to check with nmap on Linux, which will allow you to explore all the devices connected to your network.
You may think that your home network is fairly simple and that there is nothing to learn by analyzing it further. You may be right, but it is likely that you will learn something you did not know. With the proliferation of Internet of Things devices, mobile devices such as phones and tablets, and the smart home revolution – in addition to "normal" network devices such as broadband routers, laptops and desktops – this could be a revelation.
If you need it, install nmap
We will use the nmap command. Depending on the other software you have installed on your computer, nmap may already be installed for you.
Otherwise, here is how to install it in Ubuntu.
sudo apt-get install nmap
Here's how to install it on Fedora.
sudo dnf install nmap
Here's how to install it on Manjaro.
sudo pacman -Syu nmap
You can install it on other versions of Linux using the package manager of your Linux distributions.
Find your IP address
The first task is to discover the IP address of your Linux computer. Your network can use a minimum and maximum IP address. This is the range or range of IP addresses in your network. We will need to provide IP addresses or range of IP addresses to nmap. We must therefore know these values.
Handly, Linux provides a command called ip and he has an option called addr (address). Type ip, a space, addr and press Enter.
In the lower part of the output you will find your IP address. It is preceded by the label "inet".
The IP address of this computer is "192.168.4.25". "/ 24" means that there are three consecutive sets of eight 1's in the subnet mask. (And 3 x 8 = 24.)
In binary, the subnet mask is:
and in decimal, it is 255.255.255.0.
The subnet mask and the IP address are used to indicate which part of the IP address identifies the network and which part identifies the device. This subnet mask informs the hardware that the first three digits of the IP address will identify the network and that the last part of the IP address will identify the individual devices. And since the highest number that you can hold in an 8-bit binary number is 255, the range of IP addresses for that network will be 192.168.4.0 to 192.168.4.255.
All this is summarized in the "/ 24". Fortunately, nmap works with this notation, so we have what we need to start using nmap.
RELATED: How do IP addresses work?
Start with nmap
nmap is a network mapping tool. This works by sending various network messages to the IP addresses of the range we are going to provide. He can deduce a lot about the device to be tested by judging and interpreting the type of answers that he receives.
Let's run a simple analysis with nmap. We will use the option -sn (scan without port). This tells nmap not to probe device ports for the moment. It will perform a quick and light analysis.
Nevertheless, running nmap can take a little while. Of course, the more devices you have on the network, the longer it takes. He first performs all his survey and reconnaissance work, then presents his conclusions once the first phase is over. Do not be surprised if nothing visible happens for a minute or two.
The IP address we will use is the one we obtained using the ip command previously, but the final number is set to zero. This is the first possible IP address on this network. The "/ 24" tells nmap to analyze the full scope of this network. The parameter "192.168.4.0/24" translates to "starts at the IP address 192.168.4.0 and works with all IP addresses up to 192.168.4.255".
Note that we use sudo.
sudo nmap -sn 192.168.4.0/24
After a short wait, the output is written to the terminal window.
You can run this analysis without using sudo, but using sudo ensures that it can extract as much information as possible. Without sudo, this analysis would not return manufacturer information, for example.
The use of the -sn option, in addition to a quick and lightweight scan, has the advantage of providing you with a neat list of active IP addresses. In other words, we have a list of devices connected to the network, with their IP address. And as far as possible, nmap has identified the manufacturer. It's not bad the first time.
Here is the bottom of the list.
We have established a list of connected network devices. We know how many exist. 15 devices are switched on and connected to the network. We know the manufacturer for some of them. Or, as we will see, we have what nmap has reported as a manufacturer, to the best of its ability.
As you browse through your results, you will probably see devices that you recognize. Some may not be. These are the ones we need to deepen.
Some of these devices are clear to me. Raspberry Pi Foundation is explicit. The device Amazon Technologies will be my Echo Dot. The only Samsung device I have is a laser printer, which reduces it. There are some devices listed as manufactured by Dell. These are easy, it's a PC and a laptop. The Avaya device is a Voice Over IP phone that provides me with an extension number on the head office phone system. This allows them to harass me more easily at home, so I know this device well.
But I still have questions.
There are several devices whose names mean nothing to me. Liteon technology and Elitegroup computer systems, for example.
I have (mean) more than one Raspberry PI. The number of people connected to the network will always vary, as they are continuously exchanged between features as they are re-imagined and reassigned. But definitely, there should be more than one.
There are some devices marked as Unknown. Obviously, they will have to consider.
Perform a deeper scan
If we remove the -sn option, nmap will also try to probe the device ports. Ports are numbered endpoints for network connections on devices. Consider a building. All apartments have the same address (the equivalent of the IP address), but each apartment has its own number (the equivalent of the port).
Each program or service in a device has a port number. Network traffic is delivered to an IP address and port, not just an IP address. Some port numbers are pre-allocated or reserved. They are always used to carry network traffic of a specific type. Port 22, for example, is reserved for SSH connections and port 80 is reserved for HTTP web traffic.
We will use nmap to scan the ports of each device and indicate which ones are open.
This time, we get a more detailed summary of each device. We are told that there are 13 active devices on the network. Wait a minute; we had 15 devices a moment ago.
The number of devices may vary depending on these analyzes. This is probably due to the arrival and exit of mobile devices, or the activation and deactivation of equipment. Also, be aware that when you turn on a powered-off device, it may not have the same IP address as the one used last time. it could be, but it might not be the case.
There was a lot of outing. Let's do it again and capture it in a file.
nmap 192.168.4.0/24> nmap-list.txt
And now we can list the file with less, and browse it if we wish.
When you scroll through the nmap report, you look for anything you can not explain or that seems unusual. When looking at your list, write down the IP addresses of all the devices on which you want to continue your search.
According to the list we generated previously, 192.168.4.10 is a Raspberry Pi. It will use a Linux distribution or another. So what is the use of port 445? It is described as "microsoft-ds". Microsoft, on a Pi under Linux? We will certainly examine that.
192.168.4.11 was labeled "Unknown" in the previous analysis. There are many open ports; we must know what it is.
192.168.4.18 has also been identified as a Raspberry Pi. But this Pi and the device 192.168.4.21 both have the 8888 port open, described as being used by "sun-answerbook". Sun AnswerBook is a system of recovery of documentation (elementary) having taken several years of retirement. Needless to say, I do not install it anywhere. This must look.
The 192.168.4.22 device was previously identified as a Samsung printer. What is verified here by the "printer" tag. What caught my attention is the HTTP port 80 present and open. This port is reserved for site traffic. Does my printer have a website?
The device 192.168.4.31 would be manufactured by a company called Elitegroup Computer Systems. I have never heard of it and the device has a lot of open ports, so we will look at that.
The more a device has open ports, the more likely a cybercriminal will enter – if it is exposed directly to the Internet. It's like a house. The more doors and windows you have, the more the burglar has potential entry points.
We lined up the suspects; Let's talk to them
The 192.168.4.10 device is a Raspberry Pi with open port 445, described as "microsoft-ds". A little research on the Internet reveals that port 445 is usually associated with Samba. Samba is a free software implementation Server Message Block (SMB) from Microsoft. SMB is a way to share folders and files on a network.
It's logical; I'm using this particular Pi as a kind of mini-networked storage device (NAS). It uses Samba so that I can connect from any computer on my network. Ok, it was easy. One down, several more to do.
Unknown device with multiple open ports
The device with the IP address 192.168.4.11 had an unknown manufacturer and many open ports.
We can use nmap more aggressively to try to extract more information from the device. The -A (aggressive scan) option forces nmap to use operating system detection, version detection, script parsing, and trace detection.
The -T option (synchronization pattern) allows us to specify a value from 0 to 5. This option sets one of the synchronization modes. The timing modes have big names: paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4) and crazy (5). The lower the number, the less nmap will impact bandwidth and other network users.
Note that we do not provide nmap with an IP range. We focus on nmap on a single IP address, which is the IP address of the device in question.
sudo nmap -A -T4 192.168.4.11
On the machine used to find this article, it took nine minutes for nmap to execute this command. Do not be surprised if you have to wait a while before seeing an exit.
Unfortunately, in this case, the output does not give us the easy answers that we hoped for.
One more thing we learned is that it runs a version of Linux. On my network, it's not a surprise, but this version of Linux is strange. He seems to be old enough. Linux is used in almost all devices in the Internet of Things, so this could be a clue.
Further down the exit, nmap gave us the Support Access Control Address (MAC address) of the device. This is a unique reference assigned to network interfaces.
The first three bytes of the MAC address are known as Unique organizational identifier (YES). This can be used to identify the provider or manufacturer of the network interface. If you are a geek who has set up a database of 35,909 of them, that 's it.
My utility says that it belongs to Google. With the previous question about the particular version of Linux and the suspicion that it is an Internet device of things, it points right and straightforward way to my smart mini-speaker Google Home.
You can do the same type of YES search online, using the Wireshark manufacturer's search page.
Encouragingly, this corresponds to my results.
One way to check the identity of a device is to perform a scan, turn it off, and rerun it. The IP address that is missing now in the second set of results will be the device you just turned off.
The next mystery was the sun-answerbook description of the Raspberry Pi with the IP address 192.168.4.18. The same description of "sun-answerbook" appeared for the device at 192.168.4.21. The 192.168.4.21 device is a Linux desktop computer.
nmap is based on the use of a port from a list of known software associations. Of course, if one of these port associations is no longer applicable, the software may no longer be used and has disappeared. end of life– You can get deceptive port descriptions in your test results. It was probably the case here. The Sun AnswerBook system dates back to the early 90s and is a distant memory for those who have even heard of it.
So, if it's not an old Sun Microsystems software, while these two devices, the Raspberry Pi and the office, could have in common?
Internet searches did not yield anything useful. There were a lot of hits. It seems that anything with a web interface that does not want to use port 80 seems to choose port 8888 as a backup. The next logical step was therefore to try to connect to this port with the help of a browser.
I used 192.168.4.18:8888 as the address in my browser. This is the format for specifying an IP address and a port in a browser. Use two points: to separate the IP address from the port number.
A website is actually open.
This is the admin portal for all devices currently running. Resilio Sync.
I always use the command line, I completely forgot about this feature. As a result, the Sun AnswerBook entry list was a real herring, and the service behind port 8888 had been identified.
A hidden web server
The next problem I recorded was the HTTP 80 port on my printer. Again, I took the IP address of nmap results and I used it as an address in my browser. I did not need to provide the port; the browser uses port 80 by default.
There you go; my printer has an embedded web server.
I can now see the number of pages scanned, toner level and other useful or interesting information.
Another unknown device
The 192.168.4.24 device did not reveal anything to the nmap analyzes that we have tried so far.
I've added it in the -Pn option (no ping). This causes nmap to assume that the target device is operational and to perform other scans. This can be useful for devices that do not respond as expected and confuse nmap by making them believe they are offline.
sudo nmap -A -T4 -Pn 192.168.4.24
This recovered a lot of information, but nothing allowed to identify the device.
It was reported that he was using a Linux kernel from Mandriva Linux. Mandriva Linux was a distribution that was discontinued in 2011. He lives with a new community that supports him, like OpenMandriva.
Another device Internet of Things, possibly? probably not – I only have two, and both have been taken into account.
A room-by-room visit and a count of physical devices did not bring anything. Let's see the MAC address.
So, it turns out that it was my cell phone.
Do not forget that you can do these searches online, using the Wireshark manufacturer's search page.
Elitegroup IT Systems
My last two questions were about the two devices that did not have a known manufacturer name, Liteon and Elitegroup Computer Systems.
Let's talk about something else. Arp is another useful command to determine the identity of devices on your network. arp is used to work with the Address Resolution Protocol table on your Linux computer. It is used to translate from one IP address (or network name) in MAC address.
If arp is not installed on your computer, you can install it like this.
In Ubuntu, use apt-get:
sudo apt-get install net-tools
On Fedora, use DNF:
sudo dnf installs net-tools
On Manjaro, use pacman:
sudo pacman -Syu net-tools
For a list of devices and their network names, if they already have one, simply type arp and press Enter.
Here is the result of my search engine:
The names in the first column are the machine names (also known as host names or network names) assigned to the devices. I put some of them (Nostromo, Cloudbase, and Marineville, for example) and some have been defined by the manufacturer (such as Vigor.router).
The output gives us two ways to cross it with the output of nmap. Since the MAC addresses of the devices are listed, we can refer to the output of nmap to further identify the devices.
In addition, since you can use a computer name with ping and ping displays the underlying IP address, you can reference computer names to IP addresses by pinging each name.
For example, send a ping message to Nostromo.local and discover its IP address. Note that machine names are not case-sensitive.
You must use Ctrl + C to stop the ping.
The output shows us that its IP address is 192.168.4.15. And it turns out that this is the device that appeared in the first nmap scan with Liteon as a manufacturer.
Liteon manufactures computer components used by a large number of computer manufacturers. In this case, it is a Liteon Wi-Fi card inserted into an Asus laptop. Thus, as noted above, the name of the manufacturer returned by nmap is only his best guess. How did nmap know that the Liteon Wi-Fi card was installed on an Asus laptop?
And finally. The MAC address of the device manufactured by Elitegroup Computer Systems matches that of the arp list of the device that I named LibreELEC.local.
And here we are, all the mysteries solved.
Everything counts for
We verified that there were no inexplicable devices on this network. You can also use the techniques described here to study your network. You can do it by interest – to satisfy your inner geek – or to make sure everything connected to your network has the right to be there.
Do not forget that connected devices come in all shapes and sizes. I spent some time going around in circles and trying to find a strange device before realizing that it was actually the smart watch on my wrist.